b'                                     Office of the Inspector General\n                     United States Government Accountability Office\n\n\nGAO/OIG\n\nMay 2011\n               SEMIANNUAL\n               REPORT\n\n               October 1, 2010------\n               March 31, 2011\n\n\n\n\nGAO/OIG-11-4\n\x0c                                                                    Office of the Inspector General\n                                                    United States Government Accountability Office\n\n\n\n\nMemorandum\nDate:        May 24, 2011\n\nTo:          Comptroller General Gene L. Dodaro\n\nFrom:        Inspector General Frances Garcia\n\nSubject: Semiannual Report\xe2\x80\x94October 1, 2010, through March 31, 2011\n\nIn accordance with Section 5 of the Government Accountability Office Act of 20081\n(GAO Act), I am pleased to present my semiannual report for the 6-month period\nending March 31, 2011, for your comments and its transmission to the Congress.\n\nDuring the reporting period, the Office of the Inspector General (OIG) continued its\nefforts to finalize and implement the revised OIG order to reflect our statutory role\nand responsibilities while continuing to conduct audits and investigations. We are in\nthe process of considering and responding to comments we received on the revised\ndraft OIG order and making changes in the order, as appropriate. In addition, we\ncompleted an internal review of our quality assurance framework and are in the\nprocess of taking steps to further strengthen our processes and controls in response\nto this review. We recognize that other changes to our quality assurance framework\nmay be needed as we finalize our OIG order and complete our transition to the role of\na statutory OIG. As a result, we do not anticipate participating in a peer review until\nwe have completed this transition and have conducted and fully addressed any\nrecommendations resulting from at least two additional internal inspections.\n\nWe also prepared an annual work plan for fiscal year 2011 based on our updated audit\nrisk assessment of GAO operations, and we conducted a planning survey to further\nidentify potential risks in GAO\xe2\x80\x99s procurement activities and areas for future work.\nWhile our engagements are generally focused on areas identified in our work plan,\nadjustments to our work plan are made, as needed, in an effort to ensure we are in\ntune with changing conditions or emerging issues and are able to respond\nappropriately.\n\nIn addition, we completed our annual review of GAO\xe2\x80\x99s assessment of its management\nchallenges. We agreed with the assessment that physical security, information\nsecurity, and human capital continue to be management challenges that may affect\nGAO\xe2\x80\x99s performance. We also agreed with management\xe2\x80\x99s view that progress is being\n\n1\n Pub. L. No. 110-323, 122 Stat. 3539 (Sept. 22, 2008).\n\n\n\n\nPage 1                                                     GAO/OIG-11-4 Semiannual Report\n\x0cmade in addressing these challenges. However, we believe that further review is\nwarranted to determine if these areas can be removed as management challenges and\nif other risks emerge that should be designated as management challenges.\n\nFinally, we continued to participate in the activities of the broader inspector general\ncommunity, including the Council of the Inspectors General on Integrity and\nEfficiency and the quarterly meetings of Legislative Branch Inspectors General.\n\nAudits and Inspections\nDuring the reporting period, we issued two public reports\xe2\x80\x94an assessment of the\nadequacy of GAO\xe2\x80\x99s controls to prevent and detect employee misuse and delinquency\nof government travel cards2 and an evaluation of GAO\xe2\x80\x99s information security program\nand practices for fiscal year 2010.3 A summary of these reports and GAO actions to\naddress our recommendations are presented in attachment I.\n\nInvestigations and Hotline Activities\nRegarding our efforts to identify potential fraud, waste, and abuse, the OIG\xe2\x80\x99s hotline\nis our primary source of complaints.4 The OIG receives hotline complaints through a\nvariety of sources, such as through its toll-free hotline number and e-mail. As shown\nin table 1, we had a total of 129 complaints, 7 of which were open at the start of this\n6-month reporting period and 122 new complaints received during the period.\n\nTable 1: Summary of OIG Hotline and Investigative Activity, October 1, 2010, through March 31, 2011\n\n                                                 Complaints\n                                                                Referred to\n                                                Closed,         other GAO\n    Open at                                 insufficient           units or\n    start of                   Referred to information/               other       Closed Open at end\n    period       Received       FraudNet       no basis           agencies investigations  of period\n    7                 122              58             46                  5             9         11\nSource: GAO OIG.\nNote: \xe2\x80\x9cComplaints\xe2\x80\x9d include inquiries and allegations received by OIG.\n\nThe 7 open cases from the prior semiannual reporting period covered a wide range of\nmatters, such as issues related to telework, travel voucher claims, and the day care\nfacility located at GAO headquarters. Of these 7 cases, we closed 4\xe2\x80\x942 because of no\nbasis for further action and 2 after conducting investigations. Three remained open at\nthe end of the period. We referred the results of one investigation to GAO\xe2\x80\x99s Office of\nWorkforce Relations to determine whether any administrative action is appropriate.\n\n2\n  GAO, Office of the Inspector General, GAO Travel Cards: Opportunities Exist to Further Strengthen\nControls, GAO/OIG-11-1 (Washington, D.C.: Dec. 7, 2010).\n3\n  GAO, Office of the Inspector General, Information Security: Evaluation of GAO\xe2\x80\x99s Program and\nPractices for Fiscal Year 2010, GAO/OIG-11-3 (Washington, D.C.: Mar. 4, 2011).\n4\n  Complaints include inquiries and allegations received by OIG.\n\n\n\n\nPage 2                                                              GAO/OIG-11-4 Semiannual Report\n\x0cIn addition, our investigation into the daycare facility resulted in our suggesting that\nmanagement consider expanding GAO\xe2\x80\x99s role in overseeing the facility.\n\nDuring the current reporting period, we received 122 new complaints through our\nhotline and other sources. Fifty-eight of the 122 complaints concerned matters\nrelated to other federal agencies and were referred to GAO\xe2\x80\x99s FraudNet\xe2\x80\x94a\ngovernmentwide hotline operated by GAO staff that receives complaints of fraud,\nwaste, and abuse of federal funds. Of the remaining 64 complaints received during the\nreporting period, we\n\n   \xef\x82\xb7     closed 4 complaints after we conducted investigations and combined 3 other\n         complaints into ongoing investigations. The closed investigations included\n         issues relating to unemployment insurance payments for employees of a GAO\n         contractor, purchase card fraud, employee misconduct, and a whistleblower\n         complaint regarding a GAO audit. One of these investigations resulted in an\n         employee being counseled, and, following another investigation, an employee\n         resigned from GAO before the agency could take administrative action.\n   \xef\x82\xb7     closed an additional 44 complaints when we determined there was no basis for\n         additional action, sometimes after completing preliminary investigative work.\n         In one of these 44, we provided assistance to the District of Columbia OIG on\n         an investigation.\n   \xef\x82\xb7     referred 5 complaints\xe2\x80\x944 to other GAO units and 1 to another agency\xe2\x80\x94for\n         action that involved such issues as e-mail scams, employee misconduct, and an\n         information request.\n   \xef\x82\xb7     continued efforts on the remaining 8 open complaints.\n\nAgency Actions on Recommendations Made in Prior OIG Reports\nDuring this reporting period, GAO undertook or continued actions to respond to\nrecommendations intended to provide oversight of and controls over GAO\xe2\x80\x99s\ncontractor parking policies and practices. For example, GAO has developed\nprocedures to ensure provisions in the GAO Vehicle Parking Program order are\nstrictly adhered to regarding contractor parking. This includes developing procedures\nto ensure that contractor parking is provided according to contract provisions and\nthat contract language regarding parking is standardized and includes appropriate\ncaveats.\n\nGAO also took actions to respond to a recommendation that the Office of General\nCounsel consider the adoption of suspension and debarment procedures, including\nreporting any suspended or debarred GAO contractors to the Excluded Parties List\nSystem (EPLS). To address this recommendation, the General Counsel established a\nstudy team to consider the merits of a suspension and debarment procedure at GAO.\nThis team recommended, and the Executive Committee concurred, in April 2011, that\nGAO should develop suspension and debarment procedures, including EPLS\nreporting. GAO is now in the process of developing such procedures.\n\n\n\n\nPage 3                                                GAO/OIG-11-4 Semiannual Report\n\x0cI provided GAO with a draft of this report for review and comment. The agency\nprovided technical comments that we incorporated, as appropriate.\n\nFinally, I want to thank GAO\xe2\x80\x99s Executive Committee, managers, and staff for their\ncooperation during our reviews.\n\nAttachment\n\ncc: Patricia A. Dalton, Chief Operating Officer, GAO\n    David M. Fisher, Chief Administrative Officer/Chief Financial Officer, GAO\n    Lynn H. Gibson, General Counsel, GAO\n    GAO\xe2\x80\x99s Audit Advisory Committee\n\n\n\n\nPage 4                                             GAO/OIG-11-4 Semiannual Report\n\x0cAttachment I\n\n                  Summary of GAO/OIG Reports and GAO Actions\n\nReports Issued October 1, 2010, through March 31, 20115\n\nGAO Travel Cards: Opportunities Exist to Further Strengthen Controls\n(GAO/OIG-11-1, Dec. 7, 2010)\n\nFindings: GAO\xe2\x80\x99s policy and procedures were generally effective in preventing and\ndetecting travel charge card misuse. However, OIG identified areas where GAO\xe2\x80\x99s\ntravel card program could be strengthened by adopting selected best practices\nidentified in related Office of Management and Budget (OMB) guidance. As a\nlegislative branch agency, GAO is not required to follow any OMB circulars, including\nOMB Circular No. A-123 or its appendixes. In testing the effectiveness of GAO\xe2\x80\x99s\nmonitoring of travel card delinquency, OIG found that the agency could improve its\nprocedures to reduce delinquency. While GAO has had a process to take action when\nemployees were delinquent in paying their travel cards, OIG found that GAO was\nmissing a key component\xe2\x80\x94procedures that set out the requirements and time frames\nfor referring delinquent cardholders for potential disciplinary action. OIG also found\nthat GAO has implemented some of the controls identified by OMB in its guidance\nbut is not using other controls, such as statistical and narrative information on travel\ncard use to enhance program oversight and management of its travel card program.\nFurther, GAO had not developed a management plan to help provide a road map for\nensuring the ongoing effectiveness of its risk management controls. In addition, OIG\nfound that internal controls and best practices identified in OMB Circular No. A-123,\nAppendix B, were not used by GAO to manage or assess the effectiveness of GAO\xe2\x80\x99s\ntravel card program controls.\n\nRecommendations and GAO actions: This report recommends that GAO (1) develop\nprocedures to minimize the number of travel cards and review the appropriateness of\ntravel card spending and related ATM cash advance limits; (2) develop policies and\nprocedures, including time frames, for referring delinquent cardholders for\ndisciplinary action and notifying the OIG of actions taken; (3) develop and report\nstatistical and narrative travel card compliance information to oversight managers;\n(4) establish a goal to gauge agency progress in reducing delinquency; (5) consider\nestablishing a policy to use OMB Circular No. A-123, Appendix B, in GAO\xe2\x80\x99s annual\nassessment of the effectiveness of the travel card program\xe2\x80\x99s internal controls; and\n(6) consider identifying and adopting, as appropriate, additional controls and best\npractices identified in OMB Circular No. A-123, Appendix B, to help reduce travel card\nprogram risk and improve management\xe2\x80\x99s assessment of travel card program controls.\nGAO concurred with these recommendations and has taken actions to reduce the\nnumber of travel card accounts and develop standard operating procedures to refer\n\n\n5\nIn addition to the reports cited, we issued our semiannual report for the 6-month period ending\nSeptember 2010: GAO, Office of the Inspector General, Semiannual Report\xe2\x80\x94April 1, 2010, through\nSeptember 30, 2010, GAO/OIG-11-2 (Washington, D.C.: Dec. 7, 2010).\n\n\n\n\nPage 5                                                    GAO/OIG-11-4 Semiannual Report\n\x0cdelinquent cardholders to GAO\xe2\x80\x99s Office of Workforce Relations. GAO is continuing to\naddress the remaining recommendations in this report.\n\nInformation Security: Evaluation of GAO\xe2\x80\x99s Program and Practices for Fiscal Year\n2010 (GAO/OIG-11-3, Mar. 4, 2011)6\n\nFindings: The OIG\xe2\x80\x99s evaluation showed that, in voluntary compliance with the\nFederal Information Security Management Act of 2002 (FISMA), GAO has established\nan information security program that is generally consistent with requirements of this\nact, Office of Management and Budget (OMB) implementing guidance, and standards\nand guidance issued by the National Institute of Standards and Technology. However,\nbased on evaluation metrics provided by OMB for inspectors general, the OIG\nidentified improvement opportunities for specific elements of GAO\xe2\x80\x99s program that\nconcerned (1) identifying the agency\xe2\x80\x99s systems inventory and assuring that all\nsystems operated by GAO or by contractors meet security requirements,\n(2) implementing additional computer-scanning capabilities to test security\nconfiguration settings, (3) remediating configuration-related vulnerabilities in a\ntimely manner, (4) ensuring that contractors have access to required role-based\nsecurity awareness training, and (5) planning for further implementation of the\npersonal identity verification requirements of Homeland Security Presidential\nDirective 12 (HSPD-12).\n\nRecommendations and GAO actions: This report recommends that GAO\n(1) incorporate procedures within its annual systems inventory process that require\ninventory changes to be documented and formally approved by the Chief Information\nOfficer and that system interfaces be identified, (2) identify and pursue additional\noptions for obtaining assurances that certain contractor systems meet federal\ninformation security requirements, (3) continue efforts to complete and document\nrequired information security processes and procedures for all GAO-operated\nsystems, (4) proceed with plans to establish a security configuration scanning\ncapability for GAO notebook computers and workstations, (5) incorporate changes to\nthe configuration management process that remediate specific open configuration-\nrelated vulnerabilities, (6) ensure that access to annual role-based information\nsecurity training or its equivalent is provided for all contractor staff required to take\nthis training, and (7) develop and brief senior management on a plan for practical\nimplementation of HSPD-12 requirements. GAO concurred with these\nrecommendations and has identified actions to address them with target completion\ndates through the end of fiscal year 2011.\n\n\n\n\n(998299)\n\n6\nBecause the full report contains sensitive information, only our Highlights page is publicly available\non http://www.gao.gov. However, congressional members can request the full report.\n\n\n\n\nPage 6                                                         GAO/OIG-11-4 Semiannual Report\n\x0c                          To report fraud, waste, and abuse in GAO\xe2\x80\x99s internal operations, do one of\nReporting Fraud,          the following. (You may do so anonymously.)\nWaste, and Abuse in\n                      \xe2\x80\xa2   Call toll-free (866) 680-7963 to speak with a hotline specialist, available 24\nGAO\xe2\x80\x99s Internal            hours a day, 7 days a week.\nOperations\n                      \xe2\x80\xa2   Send an e-mail to OIGHotline@gao.gov.\n\n                      \xe2\x80\xa2   Send a fax to the OIG Fraud, Waste, and Abuse Hotline at (202) 512-8361.\n\n                      \xe2\x80\xa2   Write to:\n                          GAO Office of Inspector General\n                          441 G Street NW, Room 1808\n                          Washington, DC 20548\n\n                          To obtain copies of OIG reports and testimony, go to GAO\xe2\x80\x99s Web site:\nObtaining Copies of       www.gao.gov/about/workforce/ig.html.\nGAO/OIG Reports and\nTestimony\n\n                          Ralph Dawn, Managing Director, dawnr@gao.gov, (202) 512-4400\nCongressional             U.S. Government Accountability Office, 441 G Street NW, Room 7125\nRelations                 Washington, DC 20548\n\n                          Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800\nPublic Affairs            U.S. Government Accountability Office, 441 G Street NW, Room 7149\n                          Washington, DC 20548\n\n\n\n\n                          This is a work of the U.S. government and is not subject to copyright protection in the\n                          United States. The published product may be reproduced and distributed in its entirety\n                          without further permission from GAO. However, because this work may contain\n                          copyrighted images or other material, permission from the copyright holder may be\n                          necessary if you wish to reproduce this material separately.\n\n\n\n\n                                 Please Print on Recycled Paper\n\x0c'